Detecting GPS Spoofing via a Multi-Receiver Hybrid ...web.stanford.edu/group/scpnt/pnt/PNT18/presentation...Use of Synchronized Data in Power Grid •Power grid state monitored by

University of Illinois at Urbana-Champaign 0

Detecting GPS Spoofing via a Multi-Receiver

Hybrid Communication Network for Power Grids

Tara Mina, Sriramya Bhamidipati, and Grace Xingxin Gao

University of Illinois at Urbana-Champaign

1

Use of Synchronized Data in Power Grid

• Power grid state monitored by Phasor Measurement Units (PMUs)

− Use civilian GPS for synchronization – vulnerable to spoofing

• Significant timing inaccuracies can induce generator trip [1]

• Potential cascading failure, similar to Northeastern Blackout 2003 [2]

1

[1] Shepard, et al, GPS World, 2012

[2] NERC Technical Analysis, 2004

[3] Kudeshia, et al, IEEE VTC, 2017 [3]


2

Prior Work and Main Challenges

• Presence of encrypted military P(Y) code for authentication [4-5]

• Shown handful of receivers (2-8) can be authenticated [6]

• Utilized centralized framework approach [7]

• Must extend to entire widespread network of PMUs

2

[4] Lo, et al, Inside GPS, 2009

[5] Psiaki, et al, IEEE TAES, 2013

[6] Heng, Work & Gao, IEEE ITS, 2015

[7] Bhamidipati, Mina & Gao, ION PLANS, 2018

[8] Hazra, et al, IEEE PES ISGT, 2014[8]


3

Key Objectives

• Develop spoofing detection architecture for coordinated

authentication of all PMUs, with existing resources

• Provide defense against coordinated spoofing attacks

• Demonstrate successful operation of algorithm during

government-sponsored, real-world spoofing scenario

3


4

Outline

• Hybrid Network Architecture Framework

• Spoofing Detection Algorithm

− Computing Preliminary Spoofing Statistic

− Generating Regionally Representative Snippets

− Determining Final Spoofing Decision

• Experimental Setup and Results

• Summary

4


5

NASPInet Communication Structure

• North American

Synchrophasor

Initiative network

(NASPInet) [9]

• Regional utility

networks connected

via Data Bus

• Resources

prioritized in regional

sub-networks

6

[9] Hu, Yi, NASPInet Technical Specifications, U.S. DOE, 2009


6

Hierarchical Architecture Network

• Utilize communication to compare received GPS signals

• Proposed hybrid architecture network will overlay NASPInet

7


7

High-level Process Diagram

8


8

Outline







• Summary

9


9

10

Authentication within Regional Network


10

Incorporate Representative Snippets

11


11

Outline







• Summary

12


12

Experimental Setup

Recorded GPS signal during live-sky spoofing event

13

Sample rate: 2.5 𝑀𝐻𝑧

Snippet length: 500 𝑚𝑠

Post-process: PyGNSS [10]

Spoofing Data

Collection Setup

Rooftop

Antenna

Setup

[10] Wycoff & Gao, GPS World, 2015


13

Typical Correlation Plots Observed

14

Typical correlation: single peak above noise floor


14

Authentication despite Noisy Correlation

15

Can utilize knowledge of tracking accuracy to pick peak through noise


15

Verifying Spoofing despite Noisy Correlation

16

Using tracking accuracy avoids choosing noisy result during spoofing


16

Preliminary Threshold Determination

17

Threshold chosen to maximize authentic / spoofed conditional probabilities

Generalized Gamma Distribution pdf:

Authentic:

𝛼 = 27.2𝑐 = 0.517𝛽 = 1.82𝑙 = 486

Spoofed:

𝛼 = 11.3𝑐 = 0.370𝛽 = 0.346𝑙 = 0

𝑓 𝑥, 𝛼, 𝑐, 𝛽, 𝑙 =𝑐 𝑦𝑐𝛼−1exp(−𝑦𝑐)

𝛾(𝛼)𝑦 = 𝛽(𝑥 − 𝑙)


17

Preliminary Statistics – Regional Networks

17

Spoofed

Authentic

Threshold

Threshold Authentic


18

Secondary Threshold Determination

18

Threshold chosen to maximize authentic / spoofed conditional probabilities

Generalized Gamma Distribution pdf:

Authentic:

𝛼 = 1.53𝑐 = 1.74𝛽 = 33.7𝑙 = 20.0

Spoofed:

𝛼 = 1.18𝑐 = 2.69𝛽 = 5.80𝑙 = 13.7

𝑓 𝑥, 𝛼, 𝑐, 𝛽, 𝑙 =𝑐 𝑦𝑐𝛼−1exp(−𝑦𝑐)

𝛾(𝛼)𝑦 = 𝛽(𝑥 − 𝑙)


19

Final Statistic – Representative Snippets

19

• U.S. representative snippet matches that of South America

• Snippet at Western U.S. receiver (spoofed) has poor match

ThresholdSpoofed

Signal from

Authentic

Receivers


20

Summary

• Proposed hybrid architecture to detect spoofing at each PMU

− Provides a defense against coordinated attacks on regional networks

− Use regionally representative snippets to reduce bandwidth / processing

• Demonstrated algorithm successfully operates on wide-spread

network during government-sponsored, real-world spoofing attack

− Detects signal manipulation on victim receiver

− Simultaneously authenticates other receivers in hybrid network

20


21

Acknowledgements

Special thanks to:

Prof. Jade Morton and Mr. Steve Taylor

for collecting data at the Peru, Chile, Colorado, and Ohio sites.

Additionally, thanks to our lab members:

Craig Babiarz, Arthur Chu, Matthew Peretic, and Cara Yang

for assisting with the experimental setup and data collection at the

Illinois site and the Western U.S. spoofing location.

21


22

22

Thank You!

Tara Yasmin Mina

Electrical and Computer Engineering


Email: [email protected]

mailto:[email protected]


23

Typical Spoofed Cross-correlation

25


24

Modeling Communication Delays

• Inherent delay due to overhead, may be different for each PMU

• Given: probability distribution of communication delay between

PMU and PDCs

• Assumption: Each additional delay is an iid random variable for

each PMU in the network

• Can determine CDF of time to receive all snippets from regional

network

23


25

Processing Time Required

• Inherent delay due to overhead, may be different for each PMU

• Given: 𝑀 devices in regional network, 𝑘𝑖 satellites observed at 𝑖𝑡ℎ

PMU, 𝐿 servers at central unit each with mean service rate of 𝜇

• Assumption: Poisson process for snippet arrivals, at rate 𝜆

• Utilization factor (fraction of time each server is busy processing):

• Expected time to condition all snippets:

24


26

Preliminary Statistics – Regional Networks

17

Threshold

Spoofed

Generate U.S.

Representative

Snippet

Generate S.A.

Representative

Snippet

Documents

Detecting GPS Spoofing via a Multi-Receiver Hybrid ...web.stanford.edu/group/scpnt/pnt/PNT18/presentation...Use of Synchronized Data in Power Grid •Power grid state monitored by